Re: _JSON sourcetype indexing data - timestamp rec...

himynamesdave · ‎03-26-2015

Hi all,

I am attempting to index a .json formatted file. Using the Splunk data checker, the fields are all extracted nicely using _JSON sourcetype (well done Splunk).

In my events there is a field named, "field.timestamp", that contains an epoch timestamp (13 digits) i want to use for the timestamp (no timestamp is recognised by default).

Here's a raw event:

{"field":{"timestamp":"1429306200000"}}

If I specify the field "field.timestamp" to Splunk as the field where the timestamp resides it still does not recognise any timestamp.

What would be a good way to extract this timestamp?

aaronkorn · ‎03-26-2015

The settings actually work. If you noticed, your timestamp is in the future...

1429306200000 equates to Fri, 17 Apr 2015 21:30:00 GMT

himynamesdave · ‎03-26-2015

i'm an idiot - thankyou!

himynamesdave · ‎03-26-2015

I have also tried setting "TIME_FORMAT = %s%3N" (13 digit epoch millisecond) which also fails

_JSON sourcetype indexing data - timestamp recognition

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

_JSON sourcetype indexing data - timestamp recognition

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk